On Fri, Jun 4, 2010 at 5:25 PM, Todd Zullinger <t...@pobox.com> wrote: > Oded wrote: >> Never tried it myself but I think you can create the certificate as >> a part of the provisioning process, and then somehow place it in the >> new server. >> http://serverfault.com/questions/19462/how-can-i-pre-sign-puppet-certificates > > Without reading the link to see if it's similar to what I do, I have a > script I run on the puppet master to pre-generate certificates and > package them as rpm's. These then go into a repository which the > install is setup to use and the certificate package is installed by > kickstart. > > The package, if you're curious is at: > > http://tmz.fedorapeople.org/packages/puppet-host-package-0.6.0-1.el5.src.rpm > > It's not polished in any way. It's one of those "works for me, > someday I should finish and improve it" things. > > But I prefer this to enabling autosign. >
Nice idea....I like that. I had toyed with adding such an autosign-simulating feature to Cobbler that ohad mentioned (but different*), but I don't see how that provides any greater security, as once you have automated provisioning via TFTP (it's an open protocol by design), it's really a moot point to claim you're layering extra security on top. Also Anaconda doesn't support access control around accessing kickstarts. * = rather than enabling autosign, the system would note what hosts just started kickstart, and let cobblerd sign that specific host once it shows up in 'puppetca', polling periodically, until the host indicates it reaches 'kickstart done' status, or after 30 minutes, whichever is sooner. That way there's no need to enable autosign, but it's effectively the same thing. The system could also remove certificates for hosts that we being reinstalled if kicked off from a secure interface (can't really trust PXE and HTTP requests). --Michael -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
